Photo of Terence Eden. He has a beard and is smiling.

Things For Which Cryptographic Signing Would Be Useful

By · · 1 comment · 900 words · read ~407 times.

Every time someone mentions BlockChain, I have to down my drink. Those are the rules.

You see, most uses of Distributed Ledger are really just a way to get people interested in cryptographic signing. There's lots of money and attention flowing to projects which have no need to publish to an energy-inefficient global database. They would be better suited to public-key cryptography.

Let me give you an example, then we'll dive in to some details.

Recently, I needed to prove that I went to University. How did I do it? I rang up the alumni department, paid for a copy of my transcript, they posted it to me printed on high quality paper, I scanned it and emailed it to the person who wanted it. I've no idea if anyone checked if it was legitimate.

This is fragile nonsense!

In an Internet-connected world, sending forgeable bits of paper around is just daft. All the university need to do was publish something like this:

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

I confirm that Terence Eden studied at Example University 1998-2002 earning a 2.1 in Advanced Drinking
-----BEGIN PGP SIGNATURE-----

wsFcBAEBCAAQBQJbCnsECRAADQX2QFV8YgAA6swQAHTZ2jtR2x5bK1oX+shZK0SM
1EXIWvBN0ECzeFsY86AtL4bd9qTKwpjgWPsPN4NSh7Rpg2xvgLTKIdFWSsMsWTrw
QPtKiaFbYa/1Cah8uBV6rSJOodKXRGveni9vojpjT1fUZ0APhzhLbki6mvfwMquq
IWQwqgEAp4odp8Yv98sIXvSKlc/f7Y4XDYmCyapPaoNDOpzXsROSuQIqaLqrTrjf
D/U+fTQrKSx9LqsW7KLgb3dfBPXVOjBmFdCn+iNJjVMF1GLNk0fjWsUu3oy4vvrX
9SCoM5TzCxBRdGZpVmrvOSr0hg5Rmx7VRXfVhUj4/kfaM2s0NWxGr0rBMzRYsl1o
OLDplZqhYxcHI3XivfFTAwZY7UZvCPnNJCQCFDtpFnRgdpq97Lynj2cF6u9gU/gL
Kb3cTeut2uHtMJAG7DN3tpQMLWDrbX96eXDB64zD73gfOyXrbjivSStSlCC8VrmU
njkc3393qiYW9AF9zKtYo8x/9n0/WhO6kSW0Mt/V6LdIhqFVqHyWZqh6vRAtfNIf
W80OR/dKtXSBYZgmg72/pgZBNeBne9lL+Nd4I/MlVzmC96fI+jkoeXO0cZanXWRm
2JoW+7R8I8de4PS9fjTMl8fVgEAsWFXjMUas0fJu4POxQDoSIaSEGxYJvTc01lGS
tzdqLOC6zBKeS6ndUFdH
=kSYS
-----END PGP SIGNATURE-----

Now, perhaps it needs to be cross-signed with a Trusted Timestamp Server or possibly incorporating my signing key as well - but the basics are there. Either stick that up on a website, or email it to anyone who wants to check my qualifications.

No Merkle-Trees or paying vastly inflated transaction fees. Just a document which has been signed by the issuer and can be validated as legitimate. Why do you need anything else? Public key signature systems are quick, simple, and cheap. Pick any three!

The best part is... this technology is already in use! If you have a modern passport, it contains an RFID chip which holds data about you. These biometric data are cryptographically signed. It uses a PKI solution to ensure no one has tampered with the information.

Potential Uses

Feel free to add more in the comments section.

  • Qualifications
    • Example University confirms that I have this qualification.
  • Work history / employment references
    • Big Corp verifies that I was employed from these dates in this position.
  • Customer verification
    • Energy Company confirms I am a current customer.
  • Nuclear Launch Codes
    • This order is legitimate and has been cross-signed by at least 3 members of the of the command chain.
  • Medicine Licencing
    • This drug is approved by this regulator in this territory.
  • Legislation
    • This amendment to that law was published by this legislature.
  • Prison sentences
    • This Judge issued this sentence on that person.
  • Food
    • The farm that provided this food has been certified as an organic farm by this inspector.
  • Statements
    • This document was written by that author and published by that organisation.
  • Prescriptions
    • This doctor from that surgery prescribes these drugs to that patient.
  • Credit History
    • This mortgage has been provided to that person and they have paid off 10% of it.

Downsides

This is a technological solution to the human problem of trust.

Firstly, there's no guarantee that people will actually verify the message - as this XKCD Cartoon puts so succinctly.

How to use PGP to verify that an email is authentic: Look for this text at the top [In mail header, light grey.] Reply [Highlighted, with arrow pointing to it from the text "Look for this text at the top" above.] -----BEGIN PGP SIGNED MESSAGE----- [In mail message, light grey.] HASH: SHA256 Hey, First of all, thanks for taking care of [After mail message.] If it's there, the email is probably fine.

Secondly, there's no guarantee that people will actually have the software to verify the message - US Border Patrol are still unable to verify e-Passports.

Thirdly, there's no guarantee that keys won't be stolen or broken in the future. One (small) advantage of a Distributed Ledger is that you can verify when a claim was published. Assuming a malicious party hasn't found yet another weakness in the technology.

Fourthly, a claim once issued is hard to revoke. If my university discovers I cheated in an exam, of if a company mistakenly says I am their customer - how do you issue a notice of revocation? If a corrupt employee is bribed to make a fake claim about me, it could be impossible to backtrack.
Again, this problem isn't solved by putting claims on a BlockChain.

Finally, there's no guarantee that people will understand what verification means.

Just because I present you evidence that "Terence Eden" has a qualification, that doesn't mean that I am Terence Eden. Or even the same Terence Eden mentioned.

Just because the label on a box of baby-milk claims that the supply chain has been verified, it does not mean that the contents are unadulterated with plastic.

Which leads us back to the start. We can make verifiable claims - but will anyone care? In a world where a scrawled ink signature is seen as the ultimate proof of truth and easily debunked forgeries are treated as genuine news how do we convince people to care about verification?

Share this post on…

One thought on “Things For Which Cryptographic Signing Would Be Useful”

  1. Alex says:

    I remember discussions in the 1990’s about how to get a PKI infrastructure off the ground. One of the problems being how do you have a trusted PKI provider (the post office was mooted at one point) and another was how do you prove to the PKI provider that you are who you say you are. Without those things it wasn’t really about your actual identity, but more the concept that your message claiming to be X hadn’t been tampered with IIRC. I once had a personal cert from Thawte which was using a ‘web of trust’ model whereby you could visit other people (who had certificates) in person who would verify your documents (passport etc) and sign your cert. Once you had been signed by a certain number of people you could become a signer yourself. I think that didn’t last (and I lost track of my cert!) I suppose it would work for organisations like the university in your example above because they may have a certificate chain for themselves which goes all the way back to a trusted root CA. but even then… the discussions surrounding EV certificates here were illuminating https://twitter.com/troyhunt/status/940308131925467136

    I’m no fan of the distributed ledger blockchain for a number of reasons. I’m not sure whether the proposals for it in Identity actually resolve the original problems about trust in PKI, as you are indicating at the end of the article.

    So, do you think having a reliable PKI infrastructure will depend upon technology, on process, or some combination of the two?

    Reply

What are your reckons?

All comments are moderated and may not be published immediately. Your email address will not be published.Allowed HTML: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong> <pre> <p> <br> <img src="" alt="" title="" srcset="">